Think You're HIPAA Compliant? You May Not Be - and Even If You Are, It May Not Be Enough to Protect Patient Data

Many health care organizations believe they’re compliant with HIPAA. However, there’s no way to certify compliance, so cybersecurity issues often only come to light after a data breach is discovered.

As the number of cyberattacks on health care organizations continues to increase, understanding how to secure sensitive data is paramount. In 2017, for example, at least 342 providers were impacted by an attack, according to the HIPAA Journal. Implementing best practices and employing the highest standards for cybersecurity protection is simply no longer a luxury; it’s a necessity, because health care organizations are now required by law to become proactive in the application of cybersecurity controls and the prevention of data breaches.

One solution is utilizing the HITRUST CSF®—a comprehensive and certifiable framework used to protect sensitive information, which provides a more robust set of controls that health care organizations can implement to help discourage cyberattacks and demonstrate that their controls comply with HIPAA requirements.

HIPAA Challenges

It’s a common misperception among health care providers that maintaining HIPAA compliance effectively protects patient data from most cyberthreats.

Maintaining compliance with HIPAA regulations often isn’t enough to protect patient data on its own because cyberattacks continue to be more complex and the technology perimeter security for many organizations continues to evaporate in lieu of cloud-based environments, integration of Internet of Things (IoT) devices, and mobile device usage. And because there’s no way to obtain a certification for HIPAA compliance, organizations must guess on whether or not their controls are actually compliant with HIPAA requirements.

The foundations of the HIPAA Security, Privacy, and Breach Notification rules date back to 1996. It’s a framework of information security controls that predates modern-day risks, such as ransomware, cloud computing, mobile devices, outsourced IT, and IoT—so it wasn’t specifically designed to deal with them.

Despite the numerous standards and implementation specifications for these three categories of control, there’s an insufficient amount of prescriptive guidance for the implementation of proper controls. The measurement of compliance to the controls outlined in the Security Rule is also often nebulous and lost in phrases such as reasonable and appropriate safeguards and adequate protection.

Given the ambiguity involved, it’s likely that many organizations that have experienced security breaches felt they were in compliance with the HIPAA Security, Privacy, and Breach Notification standards.

The US Department of Health and Human Services (HHS) doesn’t offer a HIPAA certification either. Instead, the determination of a health care organization’s compliance with HIPAA standards is left to auditors at the Office for Civil Rights (OCR). This results in an inconsistent application of perceived HIPAA standards across the industry, leaving many organizations unclear on whether or not they’re compliant with HIPAA standards and if their data is properly secured.

How the HITRUST CSF Can Help

The HITRUST CSF was specifically developed for the health care industry in 2007 and provides a framework that’s consistently updated to prescriptively improve an organization’s regulatory compliance and risk management practices in ways that can be applied to even the latest technologies.

In January 2018, HITRUST® introduced the latest interim version the CSF: v9.1. It provides clearer and more specific guidance on the implementation of security controls, which it achieves by drawing control objectives and guidance from the HIPAA Security Rule as well as other control frameworks and legislation, including:

PCI DSS

NIST CSF

COBIT 5

ISO/IEC 27002:2013

General Data Protection Regulation (GDPR)

The HITRUST CSF adds clarity by giving organizations specific, actionable control specifications that can be implemented to ensure data protection.

While HHS doesn’t offer a certification of HIPAA compliance, HITRUST does offer HITRUST CSF Certification. At a minimum, organizations must meet 75 of the 149 HITRUST CSF control specifications to gain certification and address the HIPAA Security Rule.

HITRUST strongly recommends the performance of a self-assessment or using a third party to perform a readiness assessment prior to starting the official certification process. These types of assessments help verify that all control specifications necessary to gain HITRUST CSF Certification have been reviewed for implementation and are operating effectively within the organization.

Why It Matters

The value of a HITRUST CSF Certification has grown substantially and is becoming more recognized within the industry as a trusted level of organizational controls over IT.

Because of its growing prominence within the industry, the certification can be effectively leveraged as a marketing tool to help secure the trust of patients, customers, and business partners—all while simultaneously verifying that trust is warranted.

And by making controls, supporting processes, and documentation readily available and current, the certification process can also help reduce the time required for other types of audits or assessments.

Kevin Villanueva is a partner with our IT Consulting group and has worked in the IT field since 1997. He focuses on IT security assessments, penetration testing, HIPAA compliance audits, and strategic technology planning. He can be reached at (206) 302-6542 or kevin.villanueva@mossadams.com.

Brandon Gunter has provided IT consulting services since 1997. He initiates cross-functional technology solutions and improvements, security program enhancements, and risk management programs for clients across multiple industries.